DOL Issues New Cybersecurity Guidance for Retirement Plan Sponsors
- The guidance provides tips to employers and plan fiduciaries for hiring a service provider; best practices for a cybersecurity program; and online security advice.
- It provides suggestions for cybersecurity terms to be included in a contract between a plan and a record keeper or other service provider.
- The advice is particularly important for retirement plan fiduciaries in light of recent ERISA fiduciary litigation involving cybersecurity breaches resulting in plan losses.
The Bottom Line
The U.S. Department of Labor has, for the first time, issued guidance to retirement plan sponsors, fiduciaries, record keepers, service providers and participants on cybersecurity issues. The DOL’s press release, which links to the three related pieces of guidance, is here.
The DOL guidance is particularly important for retirement plan fiduciaries who have been the subject of recent litigation involving cybersecurity breaches resulting in plan losses. The guidance takes three forms:
- Tips for Hiring Service Providers. This guidance provides practical guidance to retirement plan sponsors and fiduciaries who are selecting and negotiating contractual terms with retirement plan record keepers and other service providers.
- Cybersecurity Program Best Practices. This guidance confirms that responsible retirement plan fiduciaries have a fiduciary obligation under ERISA to ensure the proper mitigation of cybersecurity risks.It then identifies best practices for record keepers and other service providers responsible for plan-related IT systems and data.Such best practices track the NIST cybersecurity framework as well as FTC and other regulatory guidance and will guide plan fiduciaries in making prudent decisions regarding the hiring and retention of plan service providers.
- Online Security Tips. This guidance is directed to retirement plan participants, and consists of best practices to help ensure the security of participants’ online data.
Significantly, the DOL guidance establishes a roadmap for retirement plan sponsors and fiduciaries to evaluate the strength of a record keeper’s or other plan service provider’s cybersecurity practices. Plan sponsors and fiduciaries are sometimes at a disadvantage in reviewing a particular service provider’s cybersecurity program because it is described in either very general or very technical terms that do not provide much context to the plan sponsor or fiduciary. The DOL provides the following recommendations for retirement plan sponsors or fiduciaries in evaluating a record keeper or other plan service provider:
- Ask about the service provider’s information security practices, policies and audit results, and compare them to industry standards adopted by other financial institutions.
- Look for service providers that follow a recognized standard for information security and use an outside auditor to annually review and validate cybersecurity.
- Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented.
- Ask for contract provisions that give the plan sponsor the right to review audit results demonstrating compliance with the standards.
- Evaluate the service provider’s track record in the industry, including public information about information security incidents and other litigation.
- Ask whether the service provider has experienced past security breaches, what happened and how the service provider responded.
- Determine whether the service provider has insurance that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal and external threats).
- Ensure that the service provider contract requires ongoing compliance with cybersecurity and information security standards, and avoid contract provisions that limit the service provider’s responsibility for IT security breaches.
- In the service provider contract:
- Require the service provider to annually obtain a third party audit to determine compliance with information security policies and procedures.
- Require the service provider to keep private information private, to prevent use or disclosure of confidential information without written permission, and to meet a strong standard of care to protect confidential information against unauthorized access, loss, disclosure, modification or misuse.
- Require the service provider to quickly notify the plan sponsor of any cyber incident or data breach, and ensure service provider cooperation to investigate and reasonably address the cause of the breach.
- Specify service provider’s obligation to meet all applicable laws pertaining to privacy, security, and confidentiality of participant personal information.
- Consider requiring insurance coverage such as professional liability and errors and omissions liability insurance, cyber liability and privacy breach insurance, and fidelity bond/blanket crime coverage, and understand the terms and limits of any such coverage.
Attorneys in Ballard Spahr’s Employee Benefits and Executive Compensation Group and Privacy and Data Security Group can help employers, retirement plan fiduciaries and plan service providers navigate the new guidance.
Copyright © 2023 by Ballard Spahr LLP.
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.